[Mailman-Developers] Possible spam attack against MM lists

Stephen J. Turnbull stephen at xemacs.org
Thu Sep 2 07:30:19 CEST 2004


>>>>> "Nigel" == Nigel Metheringham <Nigel.Metheringham at dev.intechnology.co.uk> writes:

    Nigel> On Wed, 2004-09-01 at 10:41 -0400, J C Lawrence wrote:

    >> On Wed, 01 Sep 2004 11:16:05 +0100
    >> Nigel Metheringham <Nigel.Metheringham at dev.intechnology.co.uk> wrote:

    >>> I seem now to be getting posts to the list forged from
    >>> addresses of list members (or in one case a list itself).  The
    >>> rejection of these so far has been pretty much by sheer luck
    >>> (they failed the content policy checks).

    >>> Are other people seeing this?

ISTR a spam from "Barry Warsaw" on the python-dev list. <wink>

    >> Yup, to the tune of several score per day per list, tho I don't
    >> distinguish between SPAM and virus mail in this regard.

    Nigel> OK, maybe I have been lucky.  Although getting the member
    Nigel> list other than by archive trawling isn't possible - EU
    Nigel> data protection laws mean that I routinely not only block
    Nigel> list roster access but remove the appropriate fragments
    Nigel> from the list info pages.

I think you have been lucky, either in choosing members who don'tuse
Windows, or members who do but nonetheless don't catch viruses.  What
I see a fair amount of is mail "from" a list member to the list, that
has gone through a bunch of machines that seem to be a legit ISP not
that of the member.  Ie, it's one of those Yenta viruses that matches
up two address book entries, one as the sender, one as the receiver.

Spammers seem to have figured this or a similar trick out, as well.
Or maybe the spammer's agent is such a virus.

    jcl> I use TMDA as a C/R system in front of all my lists and then
    jcl> remove all posting controls on the lists at the Mailman level.
    jcl> Given that the majority of list members never even try to post,
    jcl> this has been proven a particularly effective control.

Since the majority of spam uses faked addresses all around, except on
the envelope, I can see why.  I'm afraid you may be in for a nasty
surprise in the near future (at least if you run open-subscribe lists,
even with confirmation) as I've witnessed two recent incidents where
the spammer subscribed to a members-only-post list, then spammed.
Since the confirmation for the subscription requires a valid address,
the TMDA challenge would go there, too!

    Nigel> I am wondering about switching to the Mailman members
    Nigel> initially moderated policy, although I don't really want to
    Nigel> increase the load on the moderators.

This will help prevent spammers from signing up for a one-time spam on
a members-only-post list, but otherwise, it doesn't help much, I
think.  A lot of the spam/spew I see is "from" charter members who
have been around for a decade.

    Nigel> What might add something would be an option where posters
    Nigel> get a response back on postings similar to the current
    Nigel> message held for moderation where they have a choice of
    Nigel> actions - post or cancel at a minimum.

It would for a while, but the spammer has a big advantage here once he
figures it out.  He just bounces back a response to _all_ such
challenges, whereas a conscientious member will have to check (at
least his memory) whether he posted or not.  OTOH, if it goes to the
forged address of a legit member, that would be an annoyance to
someone whose only sin is to have thrown snake eyes in the "spammer
alias" lottery.

    Nigel> Its recently been requested that we start allowing some
    Nigel> MIME parts through - especially PGP signature types

There's your answer---_require_ a PGP signature. <0.5 wink>

I've seriously considered doing that, not as a requirement, but as a
"self-approval" mechanism.  People with known signatures can post
without being molested by the filters, everybody else runs the gamut.
But I think it would be a lot of work for little profit in my
situation.

HTH.  Unfortunately, I dunno what the answer is, and the death penalty
more and more seems like a step in the right direction.  :-(

-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.


More information about the Mailman-Developers mailing list